Security researchers poke holes in Safari

Re: OMFG, a BETA version has BUGS!!!

Quite, however it makes a lie out of "Apple engineers designed Safari to be secure from day one" statement.

Indeed...

It has bugs and as most security researchers are Windows users it helps Apple identify bugs to have their browser available for Windows.

Uh, wha?

"I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a website," Larholm writes.

Um, last time I checked, visiting a website required user interaction.

It just came out and it's beta - give them a break!

"One of the bugs found in the beta copy of Safari on Windows works on the production copy of OSX as well,"

Doesn't Maynor understand that Safari 3 for Mac is also beta?

Well I think it's rude

to hack software with the purpose of causing people problems.

Well, it's just not polite.

Having said all that, can't people program anymore?

Seriously is it hard? I'm surprised that this has happened with Safari!

Thin skin

Security researchers seem to have very thin skin and delicate egos.

Not much of a security researcher

I don't plan to use Safari and i don't intend to defend it, but this "security researcher" isn't a particularly trustworthy sort. He's refused to report details of the vulnerabilities he's found to Apple.

Either he's withholding them to use for blackmail or he hasn't actually found anything worth mentioning. Either way I think calling him a security researcher might be pushing it a bit since he's not helping to make Safari more secure in any way.

Beta testing some software and failing to report the bugs that you find is not the most professional of behaviour.

re fastest browser on windows

"Steve Jobs described Safari as "the fastest browser on Windows", claiming that it runs twice as fast as IE."

Er, no Steve. That would make it the second slowest.

A new classification of security vuln's?

How is feed://%* a security vulnerability, exactly what security property does it compromise surely it's a dependability/reliability issue??? Same goes for other "security" bugs - just because you can write some code to make a program crash, doesn't make you a security wonder-guru!

As for calling the above "DoS" attacks, I've never laughed harder! Whom exacly are you denying service? The user? No, they are able to restart the app. without a problem, and all they have to do is not go to *you* website, or click *your* link. Thus making *you* (the "guru" that put the link up on *your* website) the real luser!..

/rant over

Re: OMFG, a BETA version has BUGS!!!

> Quite, however it makes a lie out of "Apple engineers designed Safari to be secure from day one" statement.

Just because something is *designed* to be secure, doesn't make it secure because of various other steps/technologies involved... Have people stopped reading security books???

Re: Not much of a security researcher

How about this:

You are walking down the road, and notice a man drops his watch. You say "you've dropped your watch", and he hit's you over the head with his briefcase.

The next day, you are walking down the same road, and the same man drops his watch. By your logic, you should again tell him, and be beaten again for trying to help. Most people however would just keep walking. I know I would.

This was always going to happen

Hackers will always pounce on the latest thing and tear it to pieces. (This is no different to Vista in that regard!)

Send in the iClowns...........

"It has bugs and as most security researchers are Windows users....."

Not generally....unless they're testing Windows - they certainly aren't Mac users.

"Beta testing some software and failing to report the bugs that you find is not the most professional of behaviour".

Publishing results is just that and presumably Apple are taking their usual approach to security problems that have plagued OSX and not acknowledging reports. If we don't acknowledge it, it isn't a security issue, never mind its been patched in BSD for 3 months....

"just because you can write some code to make a program crash, doesn't make you a security wonder-guru!"

No but finding 4 critical security issues missed by developers in an afternoon puts you well on the way - even in a cobbled up patchwork quilt like Safari.

RE: Send in the iClowns...........

>> "just because you can write some code to make a program crash, doesn't make you a security wonder-guru!"

> No but finding 4 critical security issues missed by developers in an afternoon puts you well on the way - even in a cobbled up patchwork quilt like Safari.

Don't make me laugh - you can write a malformed URL, which gets parsed (presumably by MS's URL parser) and that will lead to a crash... Wow! That is definitely a critical security issue... Remind me, how many times do other programs crash?..

re iClowns

"Don't make me laugh - you can write a malformed URL, which gets parsed (presumably by MS's URL parser) and that will lead to a crash... Wow! That is definitely a critical security issue"

You seem to be confusing your Safari vulnerabilities (quite hard to keep up though, isn't it)....that issue was reported by a separate individual.

RE: re iClowns

> You seem to be confusing your Safari vulnerabilities (quite hard to keep up though, isn't it)....that issue was reported by a separate individual.

Given that most of them are not actually vulnerabilities, yes! Maybe some ought to go and look up a difference between a security vulnerability and a bug that makes software crash... Maynor, himself, called ability to crash an app a DoS vulnerability - which kind of makes pretty much every application vulnerable to DoS, as he classified it... So every time my windows box crashes, I'll file a critical DoS vulnerability with Microsoft?.. Huh?..

Re: Not much of a security researcher

> How about this:

> You are walking down the road, and notice a man drops his watch. You say "you've dropped your watch", and he hit's you over the head with his briefcase.

> The next day, you are walking down the same road, and the same man drops his watch. By your logic, you should again tell him, and be beaten again for trying to help. Most people however would just keep walking. I know I would.

Well, what do you expect if you pull the watch of his hand, replace it with some third party watch, put it on the floor and then alert him to that?!

@Igor Mozolevsky

Being able to cause a client's browser to crash just by serving them a webpage or redirecting them to a certain URL would count as a denial of service(would also interrupt downloads and such)

>So every time my windows box crashes, I'll file a critical DoS vulnerability with Microsoft?.. Huh?..

If that crash was induced by an outside attacker then yes, But certainly not every time windows crashed or Microsoft would be flooded with people filing critical DoS vulnerabilities

>Just because something is *designed* to be secure, doesn't make it secure because of various other steps/technologies involved... Have people stopped reading security books???

And what technologies might those be? Are you saying that the security vulnerabilities found in safari come from *other* applications/steps/technologies and not from safari itself? So why didn't they manifest themselves except in safari?

>Don't make me laugh - you can write a malformed URL, which gets parsed (presumably by MS's URL parser)

Wow, you sound like you know what you're talking about, I'm sorry if someone made you laugh. Now tell me, please why would safari have utilize and MS URL parser? And if that is the case(though it is not) why don't other browsers crash with that same URL. Please, laugh all you want, but keep your urges to flame people based on dumb misconceptions to yourself.